Certificate creation process fails because of "JWS has invalid anti-replay nonce"

[jonathan-reisdorf]

Currently when trying to create new certificates I always get an error after the first step (selecting the domains to enable SSL for) of letsencrypt-auto. I get the following error:
Error: urn:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce

This seems to be a new problem as the certificates I requested in the past did not fail like this.

Here is my logfile (with masked details):

# cat letsencrypt.log
2016-01-21 12:17:28,936:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-01-21 12:17:28,936:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-01-21 12:17:28,936:DEBUG:letsencrypt.cli:letsencrypt version: 0.2.0
2016-01-21 12:17:28,936:DEBUG:letsencrypt.cli:Arguments: []
2016-01-21 12:17:28,936:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-01-21 12:17:28,939:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-01-21 12:17:29,321:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f1b6a9a1410>
Prep: True
2016-01-21 12:17:29,321:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f1b6a9a1410> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f1b6a9a1410>
2016-01-21 12:17:31,448:DEBUG:letsencrypt.cli:Picked account: <Account(--MASKED--)>
2016-01-21 12:17:31,448:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-01-21 12:17:31,452:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-21 12:17:31,701:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2016-01-21 12:17:31,703:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Date': 'Thu, 21 Jan 2016 12:17:28 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '--MASKED--'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-01-21 12:17:31,704:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Date': 'Thu, 21 Jan 2016 12:17:28 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '--MASKED--'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-01-21 12:17:31,860:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0017_key-letsencrypt.pem
2016-01-21 12:17:31,863:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0017_csr-letsencrypt.pem
2016-01-21 12:17:31,863:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0017_csr-letsencrypt.pem', data='--MASKED--', form='der'), domains: ['--MASKED--']
2016-01-21 12:17:31,863:DEBUG:root:Requesting fresh nonce
2016-01-21 12:17:31,863:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-01-21 12:17:31,864:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-21 12:17:31,886:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-01-21 12:17:31,887:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '78', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Date': 'Thu, 21 Jan 2016 12:17:28 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '--MASKED--'}. Content: ''
2016-01-21 12:17:31,887:DEBUG:acme.client:Storing nonce: '--MASKED--'
2016-01-21 12:17:31,888:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2016-01-21 12:17:31,888:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "--MASKED--"}, "resource": "new-authz"}
2016-01-21 12:17:31,889:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-01-21 12:17:31,891:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-01-21 12:17:31,891:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "--MASKED--"}}, "protected": "--MASKED--", "payload": "--MASKED--", "signature": "--MASKED--"}'}
2016-01-21 12:17:31,892:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-21 12:17:32,103:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 400 92
2016-01-21 12:17:32,105:DEBUG:root:Received <Response [400]>. Headers: {'Content-Length': '92', 'Server': 'nginx', 'Connection': 'close', 'Date': 'Thu, 21 Jan 2016 12:17:28 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '--MASKED--'}. Content: '{"type":"urn:acme:error:badNonce","detail":"JWS has invalid anti-replay nonce","status":400}'
2016-01-21 12:17:32,105:DEBUG:acme.client:Storing nonce: '--MASKED--'
2016-01-21 12:17:32,105:DEBUG:acme.client:Received response <Response [400]> (headers: {'Content-Length': '92', 'Server': 'nginx', 'Connection': 'close', 'Date': 'Thu, 21 Jan 2016 12:17:28 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '--MASKED--'}): '{"type":"urn:acme:error:badNonce","detail":"JWS has invalid anti-replay nonce","status":400}'
2016-01-21 12:17:32,106:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/home/ubuntu/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1398, in main
    return args.func(args, config, plugins)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 559, in run
    lineage = _auth_from_domains(le_client, config, domains)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 404, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 215, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 195, in request_challenges
    response = self.net.post(new_authzr_uri, new_authz)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 634, in post
    return self._check_response(response, content_type=content_type)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 550, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce

I hope that is helpful somwhow.
Thanks a lot in advance!

[jonathan-reisdorf]

By the way, I tried it multiple times and it always failed at the same step. Hope I don't hit the certificate request limit with this issue.

[bmw]

@jonathan-reisdorf, to be safe, you can add --staging on the command line which will run letsencrypt against a test server with different and much more lenient rate limits.

[kuba]

Duplicate of #2244.

[jean]

This bit me once, retrying with --staging worked.